You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2019-01-12 4:44 pm
- aditsu
- Member
- Registered: 2018-12-25
- Posts: 5
Email verification
Hi, I have a website where I let people post comments without registering (I manually approve or delete each comment). I recently started getting a little more spam, so I found Stop Forum Spam and started using it. It's a good service, although the SFS website has a lot of idiosyncrasies and typos.
SFS has helped me block a bunch of spammers, but some are still getting through. So I looked into reporting spammers as the next step. Got an API key and reported 2 spammers so far.
However, I realized that there might be a problem. Since I don't do registrations, the email addresses provided in the comment form may be trivially forged. In fact, I don't even require an email address, but spammers seem to provide one anyway. Your "Add Spam Data" form requires an email address though, so I filled it in. But I couldn't find any indication whether it has to be a verified/validated address or not. I just suspected that reporting unverified addresses could add noise and potentially block legitimate users in the worst case.
Only after digging and searching through the forums I found that you actually expect people to report only verified email addresses. You don't seem to have any measure to enforce that policy or even inform people about it. And it looks like it has already caused some problems.
If my understanding is correct, I suggest taking the following measures:
- IMMEDIATELY add a clear warning about the email address (having to be verified) to the "Add Spam Data" form and also to the API usage page
- allow reporting spam without an email address, or alternatively add a checkbox where I can specify whether the address is verified or not
- consider requiring some kind of evidence of email verification - this is more difficult
Offline
#2 2019-01-12 5:28 pm
- Alex Kemp
- Moderator
- From: Nottingham, England
- Registered: 2009-12-02
- Posts: 2,420
- Website
Re: Email verification
I don't do registrations, the email addresses provided in the comment form may be trivially forged
Remove all your spammers (as found under My Spammers), and do so immediately. The FAQ states, and without any typos:–
The email address needs to have been verified, by sending it information that is required to complete the registration. This is to ensure that the email address is actually under the control of the spammer, and hasn't just been quoted from some public mention of it. Most forums can do email verification of this kind, though it is not always enabled by default. If yours doesn't, then you MAY NOT submit data here.
Unless and until you implement email verification you may NOT post any spammers here.
I have sent a PM to ped. If those spammers remain, then you will be blocked at the firewall. We take the cleanliness of our DB most seriously.
Offline
#3 2019-01-12 6:03 pm
- sklerder
- Member
- Registered: 2012-10-11
- Posts: 336
- Website
Re: Email verification
Hello !
You wrote :
although the SFS website has a lot of idiosyncrasies and typos.
Perhaps should you detail this point ?
If you don't give more details, there's big chances these typos and idiosyncrasies will remain ...
allow reporting spam without an email address, or alternatively add a checkbox where I can specify whether the address is verified or not
It's not that simple : Modifying the form for submitting would have an impact on the API, and if the API is modified, modifications made by different authors will break.
And, from my point of view, it wouldn't be a good idea, this could lead to excessive unverified data. The goal of SFS database is to provide verified data.
Offline
#4 2019-01-12 8:06 pm
- aditsu
- Member
- Registered: 2018-12-25
- Posts: 5
Re: Email verification
Hi, thanks for the replies.
Remove all your spammers (as found under My Spammers), and do so immediately.
Done. There were only 2, now there are none.
The FAQ states, and without any typos:– ...
I checked the FAQ now by following your link, and I couldn't find any occurrence of the word "verified". Maybe I'm blind or doing something wrong, I don't know. Either way, I think the warning should be more prominent.
although the SFS website has a lot of idiosyncrasies and typos.
Perhaps should you detail this point ?
Sure, let me mention a few:
- home page: "specialsed", "lists details known hostile and abusive addresses", "provide a all the data"
- API usage: "depreciated", "This is not standard or compliant XML" - actually it is perfectly standard and compliant XML 1.0, "the standard format this that query will return results as will XMLDOM" - sentence doesn't make sense and "XMLDOM" hasn't been defined yet, "The default format is not XML compliant" - actually it is, "depreciated" again, "The API supports HTTP however the client must support SNI" - SNI is needed for HTTPS not HTTP, "domaiNs" (capital N?), "obmitted", "epoc"
(I haven't checked other pages in detail)
- the site seems to direct people to install a plugin (apparently assuming that a plugin already exists for the user's website), the API option is harder to find, and seems to be focused on php (I'm using the API from java btw); at least it somewhat acknowledges that and the possibility of using other languages
- the forum pages have 2 search links and a search box, all of them labeled "Search"; I initially tried to use the search box to search in the forum, only to find that it lists spammer entries instead
Modifying the form for submitting would have an impact on the API
Any modification could be done as an optional extension while keeping the old behavior by default.
this could lead to excessive unverified data
I think it would be useful to know if an IP address has been used for spamming, with or without a verified email address. Or do you think the amount of data will be too large and put a strain on the servers?
Anyway, I noted your points, will not add any unverified email in the current system, and hope you will consider my suggestions.
Offline
#5 2019-01-12 9:11 pm
- aditsu
- Member
- Registered: 2018-12-25
- Posts: 5
Re: Email verification
In the meantime I did a google search for "The email address needs to have been verified, by sending it information that is required to complete the registration." and it listed the same FAQ page as the only result. I was able to find that text in the Google cached version of the page. But when I load the live page, it doesn't contain the "What data can I submit?" question with the answer that has that text.
Either way, I think that shouldn't be (only) in the FAQ, but in the form and the API page, as I mentioned in my first suggestion.
Offline
#6 2019-01-12 9:37 pm
- Alex Kemp
- Moderator
- From: Nottingham, England
- Registered: 2009-12-02
- Posts: 2,420
- Website
Re: Email verification
I checked the FAQ now by following your link, and I couldn't find any occurrence of the word "verified"
I now cannot find it either. I copy/pasted it from the link that I copied from the address bar. I've no idea why I cannot re-find it. I do not know how that section vanished, either. Another question for pedigree.
Offline
#7 2019-01-12 9:48 pm
- kpatz
- Member
- Registered: 2008-10-09
- Posts: 1,437
Re: Email verification
I've mentioned in the past that many of the rules for submission, which are enforced, aren't posted in a common place, especially on the submission page. Most are buried in forum threads.
Requiring verified email addresses is one, and requiring that the spammer have posted actual spam (or placed spam links in profile/signature) on your site before submitting is another.
Anyone who initially discovers this site and starts submitting spammers may not be aware of these requirements as a result, and could be submitting tainted data unknowingly.
Last edited by kpatz (2019-01-12 9:48 pm)
Spam happens when greed meets stupidity.
Offline
#8 2019-01-13 2:35 am
- Papa Parrot
- Member
- From: Mexico
- Registered: 2011-08-19
- Posts: 1,826
- Website
Re: Email verification
That might be true, especially ones that don't read anything, but now the OP does know, I do agree something clear on this should be included in the form for getting a API, in fact on the "agree to the rules" part, they should have to follow a link, read the rules, and then if they do agree, follow through with completing the API registrations. As it is now, a new user could easily say "but I did not know that", which is ok, 1 time that excuse would work, now the OP does know, and anyone else that reads this thread knows.
======= edited=====
note, it is there in the FAQ, under > What data can I submit
The database records a log of actual incidents of spam content arriving on live forums and blogs. It does not record suspicious or unwanted activity of any other kind. It is not a ban list or black list as such.
Spam submission must be triggered by a human who makes the decision to report each incident using some judgment. If it was a decision that could be made automatically by software there would be no need for this database.
Spam content is broadly defined as content that is intended to promote a product or a cause, and which is clearly unsuitable for the forum on which it is posted.
Most forums have a registration agreement which specifically excludes spam. Please ensure that your forum registration agreement is clear about this to avoid disputes about whether a post is legitimately regarded as spam.
Some common forms of spam include:
A promotional/commercial but irrelevant web link in a profile signature or elsewhere in a profile.
A post discussing the merits of a product or service, typically with one or more web links (which may or may not be easy for a human reader to spot)
A post containing just one or more web links
A post consisting of gibberish text apparently on some kind of theme, with links buried in it
A post advertising a (frequently illegal or semi-legal) service containing contact mobile phone numbers or a post box address.
A post by someone apparently responding to a question requesting product suggestions (from an accomplice) with a link to something they 'found'. (These are harder to spot unless you know what you're looking for).Spammers will think of other forms, which are submittable if they meet the broad definition above. Not all posts that meet any of the above definitions need be regarded as spam. Some judgment is required.
Common forms of non-spam (that can't be submitted) include:
Suspicious registrations - even those already listed in the database
Hacking attempts
Posts that are merely offensive* None of these are sufficient because they do not contain spam material.
The content of spam posts should be submitted as evidence where practicable, but this is not required.
A spam report without evidence that is challenged by the reported spammer is more likely to be removed than one with evidence.
A spam submission here needs:
the registration user name
the IP address
the email address
preferably spam content as evidence.Note
The IP must be the actual IP used to contact the forum or blog. If your forum is behind a reverse proxy such as Cloudflare, you'll need to find the origin IP to submit. If a visit comes from a web proxy or other service, you report the web proxy IP, not the IP address that it may claim it is forwarding for.
If you're using a recommended forum plugin with a 'submit to stopforumspam' button, it should be taking care of this for you.
The email address needs to have been verified, by sending it information that is required to complete the registration. This is to ensure that the email address is actually under the control of the spammer, and hasn't just been quoted from some public mention of it. Most forums can do email verification of this kind, though it is not always enabled by default. If yours doesn't, then you MAY NOT submit data here.Spammers occasionally use different IPs for registration and spam posting. You can report either or both as convenient. To report both, you will need to make the same submission twice specifying different IPs. Include evidence only with the submission for the actual post. This is only relevant if you're doing manual submission via the webform on this site, or building a forum plugin.
The email address needs to have been verified, by sending it information that is required to complete the registration. This is to ensure that the email address is actually under the control of the spammer, and hasn't just been quoted from some public mention of it. Most forums can do email verification of this kind, though it is not always enabled by default. If yours doesn't, then you MAY NOT submit data here.
Offline
#9 2019-01-13 4:31 am
- pedigree
- uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
- From: New Zealand
- Registered: 2008-04-16
- Posts: 7,054
Re: Email verification
you have no submissions to remove but please do not add a record without a verified email address. unverified data is NOT permitted
Offline
#10 2019-01-13 8:23 am
- aditsu
- Member
- Registered: 2018-12-25
- Posts: 5
Re: Email verification
many of the rules for submission, which are enforced, aren't posted in a common place, especially on the submission page.
Anyone who initially discovers this site and starts submitting spammers may not be aware of these requirements as a result, and could be submitting tainted data unknowingly.
I couldn't agree more!
now the OP does know
Now yes, but initially I didn't, and the same thing can happen with any new user.
something clear on this should be included in the form for getting a API
You mean an API key? Yes, the sign up form is another good place to mention it.
As it is now, a new user could easily say "but I did not know that", which is ok
Well, they could be adding a thousand spammers with unverified addresses and still not know that there's any problem, unless they happen to read about it in the forum, or to think about how SFS really works and search and/or ask about it like I did.
note, it is there in the FAQ, under > What data can I submit
Already discussed in comments #2, #4, #5 and #6
you have no submissions to remove
That's because I already removed them.
unverified data is NOT permitted
Ok, but that should be made clear on the website.
Offline
#11 2019-01-13 8:50 am
- kpatz
- Member
- Registered: 2008-10-09
- Posts: 1,437
Re: Email verification
note, it is there in the FAQ, under > What data can I submit
That wasn't there 24 hours ago. Was it just added?
The entire FAQ needs revamping anyway.
The new API key page, as well as the submit page, should mention these rules as well, or at least provide a clearly marked link to them.
Spam happens when greed meets stupidity.
Offline
#12 2019-01-13 8:55 am
- aditsu
- Member
- Registered: 2018-12-25
- Posts: 5
Re: Email verification
That wasn't there 24 hours ago. Was it just added?
I still don't see it. It seems that different people (and sometimes the same people at different times) see different versions of the FAQ page. Also see comment #6.
Offline
#13 2019-01-13 2:37 pm
- zero-tolerance
- Member
- Registered: 2013-02-25
- Posts: 339
Re: Email verification
I don't see it either. However the long and detailed section that Papa Parrot posted above has been part of the FAQ in that form for most of the last year. But it seems to be missing at the moment.
Speculation: is it currently visible only to staff members? (A staff member could check this by looking again whilst logged out). I've tried using various browsers and various IP locations but I'm not seeing it through any of them. The rest of the FAQ seems to be there, but that section is not.
Offline
#14 2019-01-13 3:00 pm
- Papa Parrot
- Member
- From: Mexico
- Registered: 2011-08-19
- Posts: 1,826
- Website
Re: Email verification
(A staff member could check this by looking again whilst logged out).
I tried, and still do see it. It does seem odd though that some people see it and others don't,
I don't know what to think or say on that,
Offline
#15 2019-01-13 3:08 pm
- zero-tolerance
- Member
- Registered: 2013-02-25
- Posts: 339
Re: Email verification
Currently under Do's and Don'ts I see 3 expandable items:
How we prefer not to see the data used and why
Not all IP addresses are equal
What you should think about using the data for
Under the English section I see 12 expandable items:
What do we do?
How can I see this information?
I'm listed on your site but Im not a spammer
What do we do?
How can I tell if someone is a spammer?
I run a network. Can you notify me if we get listed?
Can I help?
How can I help?
How much does it cost?
How can you support me?
I'm going to sue you for listing me!
Who has helped you?
If it's not a permission issue perhaps it's a stale cache at CF or something.
Offline
#16 2019-01-13 3:12 pm
- kpatz
- Member
- Registered: 2008-10-09
- Posts: 1,437
Re: Email verification
Currently under Do's and Don'ts I see 3 expandable items:
How we prefer not to see the data used and why
Not all IP addresses are equal
What you should think about using the data for
This is what I see now. I did see "What data can I submit?" as a 4th item yesterday. It's like a mystery novel. The mysterious disappearing FAQ.
EDIT: First time I clicked the FAQ this morning, from the top menu bar, that item did not appear. Then I clicked the link in Papa Parrot's post, and the item now appears again. And it also appears again when I click the FAQ link. It's some sort of weird caching issue.
The only difference in the links is one has a # on the end and one does not.
Link from menu bar: https://www.stopforumspam.com/faq
Link from PP's post: https://www.stopforumspam.com/faq#
Last edited by kpatz (2019-01-13 3:17 pm)
Spam happens when greed meets stupidity.
Offline
#17 2019-01-13 3:22 pm
- zero-tolerance
- Member
- Registered: 2013-02-25
- Posts: 339
Re: Email verification
Neither link shows me the fourth item. But yes, it does look like a caching issue.
Last edited by zero-tolerance (2019-01-13 3:24 pm)
Offline
#18 2019-01-13 9:40 pm
- Papa Parrot
- Member
- From: Mexico
- Registered: 2011-08-19
- Posts: 1,826
- Website
Re: Email verification
Hmm, Ok, Well I can now confirm, as well, sometimes it is their and just now when I looked, it is NOT their, also
when I selected the English option, it does not appear to be the same as what I saw yesterday,..
That is strange, Pedigree well need to look at this and see if he can figure it out. I don't think it has all ways been this way, last time I looked at the FAQ was several months ago, and I did not notice anything like this.
======== edit ====
After logging out, and back in again, now it is there, ..... any way , this is not the way it is supposed to be, it should all ways be there.
Offline
#19 2019-01-14 12:13 am
- pedigree
- uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı
- From: New Zealand
- Registered: 2008-04-16
- Posts: 7,054
Re: Email verification
Time to check out the caches/language files again I see
Offline
Pages: 1